Why is this an issue?

Ephemeral storage in Kubernetes refers to temporary storage that is non-persistent, meaning it does not retain data once the container or pod is terminated. This type of storage is typically used for storing temporary files that a running container can write and read. Examples of ephemeral storage include the container’s writable layer, emptyDir volumes, and log files.

The issue arises when a container is created without any defined limits for its ephemeral storage usage. Without these limits, the container can potentially consume all available ephemeral storage on the node where it is running.

What is the potential impact?

Resource exhaustion

Without a defined limit, a container can consume all available ephemeral storage on a node. This can lead to resource exhaustion, where no more storage is available for other containers or processes running on the same node. This could cause these other containers or processes to fail or perform poorly.

Unpredictable application behavior

If a container exhausts the available ephemeral storage, it can lead to unpredictable application behavior. For instance, if an application attempts to write to the ephemeral storage and there is no space left, it may crash or exhibit other unexpected behaviors.

How to fix it

To prevent these issues, it is important to set limits on the amount of ephemeral storage a container can use. This can be done through the resources.limits.ephemeral-storage property of a container. Additionally, a default limit for a namespace can be set using a LimitRange object through spec.limits[].default.ephemeral-storage.

Code examples

Noncompliant code example

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web # Noncompliant
      image: nginx
      volumeMounts:
        - name: ephemeral
          mountPath: "/tmp"

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web # Noncompliant
      image: nginx
      volumeMounts:
        - name: ephemeral
          mountPath: "/tmp"

Compliant solution

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      resources:
        limits:
          ephemeral-storage: "2Gi"
      volumeMounts:
        - name: ephemeral
          mountPath: "/tmp"

apiVersion: v1
kind: LimitRange
metadata:
  name: storage-limit-range
  namespace: namespace-with-limit-range
spec:
  limits:
  - default:
      ephemeral-storage: "10Mi"
    type: Container
---
apiVersion: v1
kind: Pod
metadata:
  name: example
  namespace: namespace-with-limit-range
spec:
  containers:
    - name: web
      image: nginx
      volumeMounts:
        - name: ephemeral
          mountPath: "/tmp"

How does this work?

By setting a limit on ephemeral storage, you ensure that a container cannot consume more than the specified amount of temporary storage. This helps prevent resource exhaustion and ensures more predictable application behavior.

Resources

Documentation

• Kubernetes Documentation - Resource Management for Pods and Containers

Standards

• CWE - CWE-770 - Allocation of Resources Without Limits or Throttling